Cross-Chain TxDataHiding Crypto Heist: A Very Chainful Process (Part 1)
Contents
Executive Summary
In September 2025, Ransom-ISAC was brought in by Crystal Intelligence to investigate a cryptocurrency and data theft attempt via a private weaponised GitHub repository. What initially appeared to be a standard phishing campaign, quickly evolved into something far more sophisticated—a multi-layered attack leveraging novel blockchain-based command-and-control infrastructure and cross-platform malware designed to compromise development environments at scale.
Part 1 of this series delves into the sophisticated nature of a potentially attributed DPRK campaign where novel tradecraft such as Cross-Chain TxDataHiding techniques combined with the subsequent creation of a takedown-proof Command and control (C2) infrastructure. Part2 continues with a holistic analysis of the core malicious payloads with a complete view into the entire kill chain.
Part 3 aims to expand on the findings from parts 1 and 2 with a focus on the infrastructure leveraged by the threat actor during the campaign which can support attribution during the later stages. Through the …
In September 2025, Ransom-ISAC was brought in by Crystal Intelligence to investigate a cryptocurrency and data theft attempt via a private weaponised GitHub repository. What initially appeared to be a standard phishing campaign, quickly evolved into something far more sophisticated—a multi-layered attack leveraging novel blockchain-based command-and-control infrastructure and cross-platform malware designed to compromise development environments at scale.
Part 1 of this series delves into the sophisticated nature of a potentially attributed DPRK campaign where novel tradecraft such as Cross-Chain TxDataHiding techniques combined with the subsequent creation of a takedown-proof Command and control (C2) infrastructure. Part2 continues with a holistic analysis of the core malicious payloads with a complete view into the entire kill chain.
Part 3 aims to expand on the findings from parts 1 and 2 with a focus on the infrastructure leveraged by the threat actor during the campaign which can support attribution during the later stages. Through the …
IoC
http://154.216.19.19
http://45.129.199.127
http://78.25.123.66
http://45.138.16.208
http://server:443
http://78.25.123.242
http://91.242.241.170
http://91.242.241.55
http://202.155.8.173
http://91.242.241.15
http://34.250.221.219
http://34.231.213.130
http://78.25.123.153
http://85.26.218.114
http://91.99.83.196
http://78.25.123.249
http://23.27.20.143
http://78.25.121.187
http://181.117.128.64
http://154.91.0.103
http://183.101.157.30
http://85.239.62.36:3306/socket.io/?EIO=4&transport=polling&t=<head
http://91.242.241.183
https://www.anti-malware.ru/analytics/Market_Analysis/DCAP-DAG-2025#part67
http://server:27017
http://85.239.60.213
http://136.0.9.8:443/socket.io/?EIO=4&transport=polling&t=<head
http://166.88.4.2
http://78.25.108.249
http://23.27.202.27
http://78.25.123.240
http://78.25.111.63
http://91.242.241.31
http://195.122.31.246
http://136.0.9.8
http://23.131.92.195
https://orlan-security.ru
http://191.96.53.163
http://62.106.66.151
http://45.86.231.67
http://500034.250.221.219
http://37.27.108.244
http://78.25.109.155
http://91.242.241.122
http://78.25.122.218
http://57.128.212.19
http://91.242.241.174
https://orlan-security.ru/
http://85.239.62.36
http://91.242.241.117
http://23.27.120.142
http://5.252.178.86
91.99.83.196
78.25.109.155
45.195.76.26
23.27.168.222
108.165.147.181
216.173.64.63
154.216.19.19
23.26.237.117
166.88.57.117
166.88.35.203
23.27.124.91
23.27.12.214
23.27.240.252
91.242.241.183
166.88.14.137
166.88.141.40
23.27.244.39
166.88.132.69
23.131.92.195
181.117.128.64
136.0.3.71
166.88.2.90
154.81.220.233
23.27.169.64
91.242.241.174
45.129.199.127
91.218.183.90
166.88.97.138
23.27.24.227
78.25.123.66
103.179.142.121
172.121.5.230
23.27.202.27
166.88.159.187
23.27.48.77
166.88.117.11
38.211.230.5
166.88.90.22
23.26.237.237
23.27.201.57
195.122.31.246
85.239.62.36
166.88.2.184
156.236.76.90
91.242.241.31
91.242.241.170
23.27.48.4
37.27.108.244
156.235.89.227
50.114.5.82
45.138.16.208
166.88.159.37
166.88.117.240
34.250.221.219
155.254.60.160
166.88.61.58
23.27.169.4
91.242.241.117
216.173.65.45
166.88.100.85
78.25.123.242
23.27.240.237
136.0.3.250
136.0.9.8
136.0.141.245
166.88.4.2
202.155.8.173
166.88.14.52
78.25.123.153
193.57.57.121
38.211.230.55
85.239.60.213
62.106.66.151
45.195.76.82
78.25.121.187
166.88.61.35
23.27.120.142
183.101.157.30
5.252.178.86
191.96.53.163
34.231.213.130
96.126.191.167
198.105.127.98
78.25.123.249
166.88.61.53
156.227.0.187
78.25.123.240
154.91.0.103
166.88.96.120
166.88.132.39
166.88.194.123
136.0.3.240
85.26.218.114
166.88.194.53
91.242.241.55
78.25.108.249
78.25.122.218
78.25.111.63
142.111.77.196
166.0.132.184
23.27.48.179
91.242.241.122
166.88.14.44
166.88.101.20
198.105.127.124
23.27.201.30
23.27.24.90
223.165.6.30
166.88.55.54
136.0.8.169
38.246.73.120
57.128.212.19
45.86.231.67
45.194.27.99
156.227.0.60
91.242.241.15
23.27.20.143
166.88.98.221
136.0.11.193
23.27.163.245
166.88.114.78
23.27.48.113
166.88.99.15
166.88.95.137
136.0.141.91
166.88.132.139
6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
9f2ee094aae06afdf4461b94ddbfb7b3bde8f5bb3e13f9f60519d5f00dd43066
87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
736dd2e77c190d2eb418338f49dda10e
be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
56ee3dc60471063c5ac82a617ed807afbfcf5437fb226d0432b3b6fcc4e8bac4
77a2e59d991aad2db848827968d9faa96fb4dec3f5511cedcd682fda50ed102f
897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
37df04dbd54b51273251708f1d014a66387222f7599357e11d10fbbec0e5ba2d
http://45.129.199.127
http://78.25.123.66
http://45.138.16.208
http://server:443
http://78.25.123.242
http://91.242.241.170
http://91.242.241.55
http://202.155.8.173
http://91.242.241.15
http://34.250.221.219
http://34.231.213.130
http://78.25.123.153
http://85.26.218.114
http://91.99.83.196
http://78.25.123.249
http://23.27.20.143
http://78.25.121.187
http://181.117.128.64
http://154.91.0.103
http://183.101.157.30
http://85.239.62.36:3306/socket.io/?EIO=4&transport=polling&t=<head
http://91.242.241.183
https://www.anti-malware.ru/analytics/Market_Analysis/DCAP-DAG-2025#part67
http://server:27017
http://85.239.60.213
http://136.0.9.8:443/socket.io/?EIO=4&transport=polling&t=<head
http://166.88.4.2
http://78.25.108.249
http://23.27.202.27
http://78.25.123.240
http://78.25.111.63
http://91.242.241.31
http://195.122.31.246
http://136.0.9.8
http://23.131.92.195
https://orlan-security.ru
http://191.96.53.163
http://62.106.66.151
http://45.86.231.67
http://500034.250.221.219
http://37.27.108.244
http://78.25.109.155
http://91.242.241.122
http://78.25.122.218
http://57.128.212.19
http://91.242.241.174
https://orlan-security.ru/
http://85.239.62.36
http://91.242.241.117
http://23.27.120.142
http://5.252.178.86
91.99.83.196
78.25.109.155
45.195.76.26
23.27.168.222
108.165.147.181
216.173.64.63
154.216.19.19
23.26.237.117
166.88.57.117
166.88.35.203
23.27.124.91
23.27.12.214
23.27.240.252
91.242.241.183
166.88.14.137
166.88.141.40
23.27.244.39
166.88.132.69
23.131.92.195
181.117.128.64
136.0.3.71
166.88.2.90
154.81.220.233
23.27.169.64
91.242.241.174
45.129.199.127
91.218.183.90
166.88.97.138
23.27.24.227
78.25.123.66
103.179.142.121
172.121.5.230
23.27.202.27
166.88.159.187
23.27.48.77
166.88.117.11
38.211.230.5
166.88.90.22
23.26.237.237
23.27.201.57
195.122.31.246
85.239.62.36
166.88.2.184
156.236.76.90
91.242.241.31
91.242.241.170
23.27.48.4
37.27.108.244
156.235.89.227
50.114.5.82
45.138.16.208
166.88.159.37
166.88.117.240
34.250.221.219
155.254.60.160
166.88.61.58
23.27.169.4
91.242.241.117
216.173.65.45
166.88.100.85
78.25.123.242
23.27.240.237
136.0.3.250
136.0.9.8
136.0.141.245
166.88.4.2
202.155.8.173
166.88.14.52
78.25.123.153
193.57.57.121
38.211.230.55
85.239.60.213
62.106.66.151
45.195.76.82
78.25.121.187
166.88.61.35
23.27.120.142
183.101.157.30
5.252.178.86
191.96.53.163
34.231.213.130
96.126.191.167
198.105.127.98
78.25.123.249
166.88.61.53
156.227.0.187
78.25.123.240
154.91.0.103
166.88.96.120
166.88.132.39
166.88.194.123
136.0.3.240
85.26.218.114
166.88.194.53
91.242.241.55
78.25.108.249
78.25.122.218
78.25.111.63
142.111.77.196
166.0.132.184
23.27.48.179
91.242.241.122
166.88.14.44
166.88.101.20
198.105.127.124
23.27.201.30
23.27.24.90
223.165.6.30
166.88.55.54
136.0.8.169
38.246.73.120
57.128.212.19
45.86.231.67
45.194.27.99
156.227.0.60
91.242.241.15
23.27.20.143
166.88.98.221
136.0.11.193
23.27.163.245
166.88.114.78
23.27.48.113
166.88.99.15
166.88.95.137
136.0.141.91
166.88.132.139
6e48fe09117ead1ef2c10a3db614217184fc300ac70ee902f67510b8d0d0b0c8
eefe39fe88e75b37babb37c7379d1ec61b187a9677ee5d0c867d13ccb0e31e30
24cad593f02db847d1302ee7c486d0756708521d5ae69faa9d6600dff81fd924
a2880c2d262b4a76e64fd29a813f2446ecbd640f378714aa575bf1064b7adc29
83a84588a941e463c981083555a2e7814887fa8816e7cca5af9cb7fd0b62cdac
43dc7a343649a7ce748e4c2f94bcb6064199507cfd9f064a2d462536bec1d57f
ba738d8fa5ecd4b996612dde6cd4516cbe7116305661521ffcfd62d37687875d
973f777723d315e0bee0fb9e81e943bb3440be7d2de7bf582419ae47479bc15d
9f2ee094aae06afdf4461b94ddbfb7b3bde8f5bb3e13f9f60519d5f00dd43066
87330f64f5cd4695f2385f87c9ffffee26d5ad2637665f1cd5d7fce217770a4d
736dd2e77c190d2eb418338f49dda10e
be21bf4ad94c394202e7b52a1b461ed868200f0f03b3c8544984e9765c23e1e0
742016f01fa89be4d43916d5d2349c8d86dc89f096302501ec22b5c239685a20
236ff897dee7d21319482cd67815bd22391523e37e0452fa230813b30884a86f
a7d7075e866132b8e8eb87265f7b7fab0e9f6dd7f748445a18f37da2e989faa3
a51c2b2c5134d8079f11a22bd0621d29b10e16aefa4174b516e00fa40dafde69
56ee3dc60471063c5ac82a617ed807afbfcf5437fb226d0432b3b6fcc4e8bac4
77a2e59d991aad2db848827968d9faa96fb4dec3f5511cedcd682fda50ed102f
897d040e5db47b806c01eb2a1a056ca49b10e0aa4985f84d2b808a121083570e
908696f3ec522e846575061e90747ddf29fccab0e59364597493d72159986c60
37df04dbd54b51273251708f1d014a66387222f7599357e11d10fbbec0e5ba2d